Rage against the encryption – law enforcement reaction to cryptography proliferation

While development of TrueCrypt has ended in rather mysterious and abrupt manner, during its lifetime program became much more than just another encryption utility. The reason for its popularity and status could summarised in one word: unbreakable. While TrueCrypt was just a method of applying AES, it became synonymous with the encryption that protects you from police raiding your hard drives. Indeed it was impossible to find more polished, user-friendly and available full disc encryption solution.  Furthermore encryption solution crawled out of hard drives and in newest development Google and Apple declared that companies will not decrypt devices even at government’s request. Law enforcement, as it could be expected, declared such attitude will make it impossible to solve certain cases and compared encryption to ‘house or safe that cannot be searched’. Unfortunately officials failed to provide precise examples and argumentation of cost/benefit analysis regarding evidence collection and right to privacy, instead using common ‘think of the children’ emotional appeal  and absurd hyperboles such as ‘Apple will become the phone of choice for the pedophile’ . What is even more interesting while FBI officials were opposed to the idea, ACLU said that it is a move in right direction and will greatly increase personal privacy. What about internet browsing? Mozilla hinted at default integration of Tor into Firefox, certainly bold move that, depending on relay and exit nodes support, could be a gamechanger for both Tor and internet anonymity.

It has to be said that law enforcement officers does have some merit in one point – increasing prevalence of encryption will make their job harder. Untraceable hidden services and files hidden in encrypted, unbreakable storage medium could very well protect from conviction ie.: distributor of child pornography. However two problems arise from position represented by law enforcement a) to that degree government may forbid security measures from use by private citizen and b) what is the alternative to leaving encryption unbreakable. Former is classical dilemma of privacy vs safety with a hint of right to property. While privacy / safety debate has been going on almost constantly since NSA spying program leaks and arguments tend to repeat over time, this issue begs to ask where law enforcement would like to put limit on citizens fortifying their property. Just as encrypted hard drive can prevent child pornography possession conviction, door lock and shutters may hide victim of the kidnapping. It is obviously hard to imagine anybody arguing for abolishing locks, and there are hardly any anti house fortification laws (I have found two examples, including one reported on Alex Jones‘ site and one related only two biker clubs premises). The difference between physical and digital safety measures in this case is that government will always have enough firepower (literal or figurative) to breach the former. In this way, saying that it is equivalent of having closet that cannot be searched is somewhat justified. However, the law is almost unilateral on the side of private citizens. In Poland, as well as in most countries, criminal procedure specifies that under search warrant suspect has to hand over devices, while procedural guarantees (often enacted at level of constitution) says that nobody is obliged to provide testimony against his case. Therefore suspect cannot be forced into provide encryption key for potentially incriminating materials. On the other hand it has to be noted that key disclosure laws does exist and does result in convictions. For example in the UK, under Regulation of Investigatory Powers Act 2000 court order may force a person to decrypt data, failure to comply results in penalty up to two years of imprisonment. Similar provisions exist in Belgium and France. Such legislation has to raise question about meeting evidence criteria for proving beyond reasonable doubt that failure to decrypt is not result of forgetting encryption key. Especially given that proper keys should be over twenty characters long and include alphanumeric characters.

Solution which law enforcement seems to seek is banning personal use of encryption and / or forcing developers to include backdoor in encryption utilities. Regarding ban on encryption I believe it is fair to say that nobody would seriously propose it in western world. First of all proliferation of software is impossible to stop in era of torrent and piratebay. Just as music, movies and computer games are illegally exchanged through peer2peer on massive scale, encryption software could be available regardless of any law. Furthermore many encryption solutions (such as TrueCrypt or DiscCryptor, probably two most important and popular full disk encryption utilities) are based on open source licence, meaning that hundreds of clones might emerge in relatively short time. Second, even less tech savvy legislators probably realise backlash from civil liberties groups and liberal leaning media outlets, who certainly wouldn’t hesitate comparing it to great firewall of china or infamous Pakistan law targeting VPN services. Before discussing backdoor approach let’s discuss not often raised right to property argument. Question is whether setting limitations on legal use of encryption software could be classified as intrusion into peaceful enjoyment of possession (provision included in European Convention on Human Rights). Cryptography ban could set dangerous precedence, as where is the line on what limitation could be put on data manipulation. Extrapolating, one could imagine that shredding data using methods which prevent its forensic recovery also enabled some criminals evading conviction. Is the next step regulating this kind of software?

Unfortunately, law enforcement officials does not hesitate advocating putting backdoors in smartphones’ software. Such behaviour could be seen as an example of disparity between approach to similar situations in physical and digital world. It is quite hard to imagine government official announcing  with a straight face that law enforcement would like to get master-key to every home in country. Furthermore massive civil liberties concerns are not only problem with this approach. Every security researcher will agree that adding backdoor to any software is nothing else than intentionally weakening security. That is especially the case with backdoors law enforcement would like to see – undetectable and completely obscured to user. On top of that consequences of potential disclosure and exploitation of such vulnerability would be massive to say least, after all it would result in having to update or maybe even completely reinstall OS on every single mobile of given producer. Requiring companies to carry such risk certainly puts on them unreasonable burden. The best summary of whole situation seems to be fact that Ronald Hosko – former Assistant Director of the FBI Criminal Investigative Division, author of Washington Post op-ed in which he bashed Apple and Google decision – had his facts wrong. Case he mentioned, kidnapping in Wake Forest, N.C., was solved using wiretapping and toll records collection – something completely unrelated, and unhindered, by encryption. Law enforcement agencies always were and will be advocating inclusion of intrusive legal instruments, however it’s a sombre realisation how aim is shifted from facilitating process of criminal justice to simply having more power.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s